Privacy laws & Employee DSARs

July 23, 2021


When you hear the term “data privacy” you likely think of major global consumer privacy regulations such as GDPR, CCPA, and LGPD. Your business presumably has policies in place to follow global or local regulations. You work hard to protect your customers’ personal data. 

Because of this increased focus on privacy, employees are more aware of their rights in this area, too. Employees may make a privacy law request if they are unhappy with something about their employer.

In fact, employee rights are becoming more common and more in scope for privacy regulations such as the GDPR and CPRA. Your employees now have a way to legally request information that could be useful to them when they have a complaint against your company which may or may not be related to your company. 

Your organization must be prepared to handle these employee data subject access requests (DSARs). 

Today, greater amounts of unstructured data related to employees — think HR systems, emails, and documents — is being combined with that of data subjects. Sensitive information about people other than the data requester have to be removed from materials before you can share them with the data requester. This is a resource-intensive process when completed manually, and leaves the door open for errors.

Download the Checklist: The 4 Step Checklist for Fulfilling Employee DSARs

Organizations faced with employee data subject access requests (DSARs) need a tool that uses automation to properly redact data. But first, you need to take steps to try to negate the need for the employee DSAR in light of existing privacy laws.

GDPR and Employee DSARs

When GDPR went into effect in 2018, it awakened the world to the importance of privacy rights for consumers. Under this legislation, employees have many of the same privacy rights as consumers. Organizations need to take employee DSARs just as seriously as they would a consumer DSAR.

When an employee submits a DSAR under the GDPR, there are three factors that will determine the scope of the process. 

1: The risk

Assess how serious the claims are that the employee is making. If you release the requested information, understand what the potential impact will be to your organization. For example, if you have to release privileged information, this is a high-risk scenario. It could hurt your side of the case in this employee dispute. All of those considerations need to be evaluated in the context of valid legal reasons you may have to avoid sharing certain information.  

2: The data redaction process

Since the information that should be disclosed as a result of an employee DSARs should not include information that could breach someone else’s privacy rights, other people’s personal information must be taken out if there is no legal basis for such information to be disclosed such as consent from that other person. This makes the data redaction process highly complex and time-consuming, as the data subject’s personal information is often commingled with other people’s information, in hundreds, if not thousands, of emails and documents.

3: Confidential information

The other part of the data redaction process is excluding organization-sensitive information such as trade secrets that need to be legitimately protected. 

Because employee DSARs must be processed quickly, it is essential to have a plan of action in place to assess and handle them. You will need to stay coordinated with internal and external stakeholders like your legal team. And you will need to know exactly where to look for data when a DSAR is sent, and articulate key words or concepts that could indicate information that requires protection.

You should also try to narrow the scope of the request by asking the submitting employee questions that clarify exactly what they are after. This can speed up the entire review process. 

The CCPA/CPRA and Employee DSARs

The CCPA went into effect on January 1, 2020 to give California consumers more control over their personal information. The CPRA is the updated version of this law that went into effect in November 2020. 

Under this law, employees are also considered “consumers” and hold the same rights.

Because of the attention GDPR employee DSARs have received, experts anticipate the ongoing adoption of the CCPA in so far as it relates to employees as from 1 January 2023, is going to cause a similar effect: An increased number of employee DSARs based on this regulation. 

The mandate to prepare for this surge could not be clearer for employers.

In order to meet this DSAR demand, organizations will have to create a plan to scale. Subject to any further clarification or regulation by the California AG, you can probably expect the same factors of the GDPR being true for the CPRA. And you can take the same steps to manage the handling of an employee request. 

One thing is painfully clear: Manual redaction processes won’t cut it for either the GDPR or CPRA.

Manual redaction is time-consuming and often the results are riddled with errors. You are racing against the clock while trying to protect your organization’s information including other people’s personal information.

Fortunately, you can now lean on modern technology to help.

Download the Checklist: The 4 Step Checklist for Fulfilling Employee DSARs

Conclusion: Make employee DSARs less painful

Finding all the relevant information relating to the employee in the context of a request is a big exercise which involves knowing what to look for and looking for the information across a wide variety of systems, such as HR systems, emails, documents.

Redacting data for an employee DSAR request is often a tedious and complex process. You have to wade through countless emails and documents to remove private information. 

Add up all the time it takes to go through this process, as well as any legal fees associated with answering the employee DSAR request, and you have got a high bill to pay in time and money.

Automation can make compliance a much more manageable, timely, and affordable process for your business. 

OneTrust DSAR Solution offers an automated and integrated solution to dealing with employee DSARs from automatically discovering the data across the various systems, managing the process around fulfilling the request to automatically redacting sensitive data from files quickly and more efficiently than the existing manual processes.

You may also like


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more


Privacy Management

Embedding privacy by design to enforce responsible use of data

In this webinar, we explore the latest in Privacy by Design standards and how to effectively manage the balance between Privacy and Data Governance.

October 18, 2023

Learn more